.comment: Strategic Linux

Unintended Consequences

September 26, 2001

By
Dennis E. Powell

One of my favorite political thinkers, the late James Burnham,
famously noted that it is impossible to do just one thing. Any action
may bring about the intended consequences, but it will certainly bring
about some unplanned ones, too.

His observation came to mind over the weekend when I learned while
on a trip to the Washington D.C. area that the terrorist attack on the
World Trade Center will probably cause the shareholder lawsuits
against Linux distributors to come to a screeching halt.

The reason is this: The Securities and Exchange Commission office
in the World Trade Center complex was destroyed in the attack. It
contained the original material and evidence in the SEC's probe of
underwriter misbehavior in initial public stock
offerings. Class-action plaintiffs lawyers, whose coat of arms is
emblazoned with the vulture, do not do their own work in most cases,
instead piggybacking on some federal investigation. This federal
investigation has now disappeared. Yes, it could probably largely be
recreated, but it's not the top item on the SEC's stack right now, for
a number of reasons. One is that securities manipulations having to do
with the attack itself are suddenly consuming a huge part of the SEC's
investigative resources. Another is that improprieties in IPOs
scarcely constitute a burning problem right now, in that nobody is
currently going public.

As it happens, it's unlikely that much would have come of the
lawsuits, anyway. Lawyers are having increasing difficulty getting
classes certified, and recent appellate rulings will make litigious
fishing expeditions far more difficult.

While we naturally recoil from deriving benefit from atrocious
acts, we gain nothing by ignoring the law of unintended consequences
-- especially in this case, where reaping the benefits can improve the
lot of the entire free world.

I'm talking about Linux, which has suddenly become of strategic
importance.

There are three reasons for the sudden added importance of Linux:
It is good. It is relatively secure and can be made very secure. And
it's out there. All three are important, but most important is the
last one.

Single Source vs. Open Source

There are problems with any system in which there is a single
source for a critical commodity. These involve quality and
vulnerability. When there is a single source, the quality needn't be
high. When there is a single source, that source, if cut off,
eliminates access to the commodity. Both of these apply in connection
with the products of Microsoft Corporation. Indeed, Microsoft has
managed to combine them. Look at this from the Gartner Group, from
just last week:

"Gartner recommends that enterprises hit by both Code Red and
Nimda immediately investigate alternatives to IIS, including moving
Web applications to Web server software from other vendors, such as
iPlanet and Apache. Although these Web servers have required some
security patches, they have much better security records than IIS and
are not under active attack by the vast number of virus and worm
writers. Gartner remains concerned that viruses and worms will
continue to attack IIS until Microsoft has released a completely
rewritten, thoroughly and publicly tested, new release of
IIS."

Want to guess how long it will be before Microsoft rewrites IIS?
And if they announce that they have, how will we know they're
telling the truth? Very few people know what's in Microsoft's
code. Even if it were very good, this fact alone would represent a
tremendous vulnerability. The fact that it's not very good allows us
to see time and again the quality aspects of single source. In the few
days since Gartner's report, there has been yet another Outlook
macro virus. If one downloads signature files that are added to a
program that is added to Windows so as to eliminate some of that
system's obvious shortcomings, one can be relatively safe from this
new infection. But nowhere do we see an outcry that the underlying
system itself be fixed. It has been, what, two years since Outlook's
vast and expensive security problem was first exploited, yet the
single source company that publishes it still has not fixed it. As
I've said before, nothing as important as computing has become can be
entrusted to a company that behaves so irresponsibly toward its own
customers. But it goes beyond that: nothing as important as computing
can be entrusted to a single company, period.

With Linux, though, fixes are quick, high security is possible,
and bad programs simply aren't used -- they're cast aside in favor of
something better. There is very little that cannot be done nowadays on
a Linux machine, the lone serious exception being interchanging
documents with boxen running Microsoft Office applications -- which
merely underlines my point about the dangers of single
source.

Linux is not entrusted to any small group of people. It is
available in source code to anyone who cares to have it. Its contents
are well known, and there are hundreds of thousands of people capable
of maintaining it. Tens of thousands, all over the world, do just
that. Security holes are found and fixed. New applications are
developed, hacked, released again, hacked some more, released some
more. Quality is the only driving issue. And it cannot be eliminated
by the elimination of any one company (or country, for that
matter).

This has been increasingly obvious for some time, never more so
than when the U.S. government's clandestine services let it be known
early this year that Microsoft code has been invaded so many times and
so thoroughly while sitting on Microsoft's own corporate machines that
it not only cannot be thought of as secure, it cannot be made
secure. Hence, the National Security Agency has undertaken Secure
Linux, a startling demonstration of the strength of open
source.

Computer security, we all knew, was important, but now it is
important as never before. Single source software cannot provide that
security, especially as relates to Microsoft, which seems to have no
particular interest in security anyway. Open source can provide
security; indeed, there is no way that it won't unless the entire
Linux community suddenly takes leave of its senses, which is
unlikely.

But there is more to security than locking up our machines. The
most important fundamental is that our machines keep working, that our
information systems remain intact and uncorrupted. Linux is, of
course, not utterly invulnerable in this regard, but as we have seen,
exploits are far more quickly found and fixed when Linux is involved
than they are when Windows is involved -- again, Microsoft seldom
fixes the problem, leading to the existence of an entire industry
devoted to putting a bandaid on Microsoft's problems. Though the
majority of websites are non-Microsoft, it is Microsoft's products
that have come closest to bringing down the web.

This is not Microsoft bashing, because it would apply equally to
any single source system. It is inevitable. A single source system is
capable of holding hostage, and it is capable of being held
hostage. Open source isn't.